gitpod-io · roboquat · Sep 21, 2022 · Sep 20, 2022 · mustard-mh · Sep 21, 2022
diff --git a/install/installer/pkg/config/v1/config.go b/install/installer/pkg/config/v1/config.go
@@ -403,8 +403,9 @@ const (
 )
 
 type BlockNewUsers struct {
-	Enabled  bool     `json:"enabled"`
-	Passlist []string `json:"passlist"`
+	Enabled bool `json:"enabled"`
+	// Passlist []string `json:"passlist" validate:"min=1,unique,dive,fqdn"`
+	Passlist []string `json:"passlist" validate:"block_new_users_passlist"`
 }
 
 // AuthProviderConfigs this only contains what is necessary for validation

diff --git a/install/installer/pkg/config/v1/validation.go b/install/installer/pkg/config/v1/validation.go
@@ -6,6 +6,7 @@ package config
 
 import (
 	"fmt"
+	"regexp"
 
 	"github.com/gitpod-io/gitpod/installer/pkg/cluster"
 	"github.com/gitpod-io/gitpod/installer/pkg/config/v1/experimental"
@@ -65,6 +66,38 @@ func (v version) LoadValidationFuncs(validate *validator.Validate) error {
 			_, ok := LogLevelList[LogLevel(fl.Field().String())]
 			return ok
 		},
+		"block_new_users_passlist": func(fl validator.FieldLevel) bool {
+			if !fl.Parent().FieldByName("Enabled").Bool() {
+				// Not enabled - it's valid
+				return true
+			}
+
+			if fl.Field().Len() == 0 {
+				// No exceptions
+				return false
+			}
+
+			// Use same regex as "fqdn"
+			// @link https://github.com/go-playground/validator/blob/c7e0172e0fd176bdc521afb5186818a7db6b77ac/regexes.go#L52
+			fqdnRegexStringRFC1123 := `^([a-zA-Z0-9]{1}[a-zA-Z0-9-]{0,62})(\.[a-zA-Z0-9]{1}[a-zA-Z0-9-]{0,62})*?(\.[a-zA-Z]{1}[a-zA-Z0-9]{0,62})\.?$`
+			fqdnRegexRFC1123 := regexp.MustCompile(fqdnRegexStringRFC1123)
+
+			for i := 0; i < fl.Field().Len(); i++ {
+				val := fl.Field().Index(i).String()
+
+				if val == "" {
+					// Empty value
+					return false
+				}
+
+				// Check that it validates as a fully-qualified domain name
+				valid := fqdnRegexRFC1123.MatchString(val)
+				if !valid {
+					return false
+				}
+			}
+			return true
+		},
 	}
 
 	for k, v := range experimental.ValidationChecks {

diff --git a/install/installer/pkg/config/validation.go b/install/installer/pkg/config/validation.go
@@ -55,6 +55,8 @@ func Validate(version ConfigVersion, cfg interface{}) (r *ValidationResult, err
 					res.Fatal = append(res.Fatal, fmt.Sprintf("Field '%s' is %s '%s'", v.Namespace(), tag, v.Param()))
 				case "startswith":
 					res.Fatal = append(res.Fatal, fmt.Sprintf("Field '%s' must start with '%s'", v.Namespace(), v.Param()))
+				case "block_new_users_passlist":
+					res.Fatal = append(res.Fatal, fmt.Sprintf("Field '%s' failed. If 'Enabled = true', there must be at least one fully-qualified domain name in the passlist", v.Namespace()))
 				default:
 					// General error message
 					res.Fatal = append(res.Fatal, fmt.Sprintf("Field '%s' failed %s validation", v.Namespace(), v.Tag()))